search

LDAP User Manual

hashtag
Introduction

LDAP (Lightweight Directory Access Protocol) is a standard protocol used to access and manage information stored in directory services, such as Active Directory from Microsoft, the OpenLDAP among others. It is often used to centralize information about users, groups and resources on a network, such as in authentication systems, contact directories and access management systems.

circle-info

This manual covers the use of LDAP with the tool Apache Directory Studioarrow-up-right.

hashtag
Getting started

hashtag
Creating a connection

From the File -> New menu the Wizard, choose LDAP Browser -> LDAP Connection. Or, in the connections window, right-click and choose New Connection.

Fill in only the Connection name (Connection name) and the Hostname (or IP) and proceed to the next screen.

Fill in the field Bind DN or User and Bind password as provided by the team that created the LDAP. After configured you can click Check Authentication to confirm access and login to the LDAP.

circle-check

(Optional) On the next screen, Browser Option, check Fetch operational attributes while browsing to improve visibility of the groups each user belongs to.

hashtag
Connecting via the Connections tab

Check which server in the list you want to connect to, double-click the chosen server or select it and click the connection icon (highlighted in red in the image below).

If the connection is successful, the server icon will change to yellow:

hashtag
LDAP structure

hashtag
Directory tree

The tree used is essentially based on Groups and Users, and may additionally include Policies for password policies.

hashtag
Acronyms

Acronym
Meaning

dc

Domain Component

or

Organizational unit to which the user belongs (Organizational Unit)

cn

Common name (Common Name)

sn

Person's name (Surname)

uid

User ID

mail

e-mail (Email Address)

hashtag
Tree Users

In this tree users are created and their passwords defined; it can be structured in sublevels to facilitate organization of users using the concept of grouping by location, department, etc.

hashtag
Tree Groups

In this tree groups are defined that will represent permissions/roles of access to the tools, by adding the user to the desired access group.

Example of groups:

  • etr_view - Users added to this group will have access to the permissions defined in the group, which represent access options to ETR as viewer.

  • bcc_verify - Users added to this group will be able to log into BCC and perform verification searches (1:1 searches).

hashtag
User registration

When creating a user, fill in the following attributes:

cn - used as the name of the login of the user; sn - used to register the full name of the user; uid - reserved for future use, should be filled with the same text as the cn; password - filled in with the password of this user; mail - used to register the e-mail of the user.

To register a user, right-click on ou=User and choose New -> New Entry:

The user creation screen will open. If there are or intermediate, change the path in the creation directory. Otherwise, if no change is made, the user will be created at the root of the directory Users.

On the next screen, remove organizationalUnit:

Add inetOrgPerson and the application will automatically bring the dependency classes organizationalPerson, person and top:

Proceed to the next screen to choose the cn. Fill in with the cn login desired:

In this new screen a summary of what will be done is displayed and you can change the sn. Fill in, if possible, with the user's full name.

Then, right-click and choose New Attribute:

Choose UID and fill in with the value of the UID.

circle-info

The value of the UID must come from the system user administrator.

Next, the attribute userPassword:

When finishing, the screen to set the password will open. Choose CRYPT-SHA-512 and fill in with the desired password:

Finally, delete the objectClass organizationalPerson (structural) by right-clicking and choosing Delete Value:

hashtag
Adding a group to a user

Under Users, open the user record and copy the DN of the user shown in the header of the screen:

circle-info

DN is the acronym for Distinguished Name, which is the Distinguished Name of the object in LDAP. It is the way to uniquely identify an object in the directory. It provides the path to the specific entry within the LDAP directory hierarchy, which is organized in a tree structure. A DN is composed of a sequence of relative distinguished names (RDNs) connected by commas. Each RDN is a component of the DN that represents a specific attribute value.

For example:

  • cn=leandro.pinheiro: Common Name (cn) of the entry. It is generally used for names of people or objects.

  • ou=Users: Organizational Unit (or) where the entry is located.

  • dc=oldap: Domain Component (dc). It can represent a subdomain or a specific part of the domain within the LDAP structure.

  • dc=igp: Another Domain Component (dc). Represents another part of the domain, possibly indicating a department or subdivision within the organization.

  • dc=griaule: Domain Component (dc) of higher level. Represents the organization's main domain.

Therefore, the DN cn=leandro.pinheiro,ou=Users,dc=oldap,dc=igp,dc=griaule identifies a specific user named leandro.pinheiro within the organizational unit Users, which is part of the subdomain oldap, of the domain igp, within the main domain griaule. This DN provides a clear and unique path to locate this specific entry in the organization's LDAP directory.

Then, open the root of Groups and choose the desired group. Right-click on the group and choose New Attribute. In Attribute Type, choose member. Click Finish.

On the DN Editor, paste the DN full user (copied in the first step). Click OK:

hashtag
Quick addition of a group to a user

When the group already has users/members, adding a new user to the group is faster: just right-click on the component member and choose New Value. The DN Editor screen will open. Then, as shown in the previous section, paste the DN full user and click OK.

hashtag
Removing the user from a group

Open the group in which the user is:

Right-click on the member of the user you want to remove from the group and click Delete Value:

Confirm by clicking OK:

hashtag
Group creation

To create a new group, right-click on ou=Groups and choose New -> New Entry.

The creation screen will open, similar to user creation. Choose the option organizationalUnit.

Choose or and fill in a name; in the example below LDAPwas chosen. Finish creating the group by clicking Finish.

hashtag
LDAP navigation

hashtag
Searching for user groups using "Quick Search"

To locate a user's groups, go to the LDAP search and select the option cn or member.

circle-info

By selecting member, you will need to search using the DN full user.

At the top right, check if the following icon is selected:

If not, select it. This will allow you to search the entire groups tree (options search one level only or search whole subtree).

Check the response in the Quick Search:

triangle-exclamation

Never delete a user using the search result (in the Quick Search item), because the groups this person belongs to were searched. Therefore, deleting a line from Quick Search means deleting the group and not the user.

hashtag
User's group list in the user's description

Another way to check the groups the user belongs to is through Fetch.

For this, right-click on the user's name and choose Fetch -> Fetch Operational Attributes:

It is also possible to enable Fetch Operational Attributes by right-clicking and choosing Properties. Then, click on Connection and open the Browser Options. Then, in the Features, check the option Fetch operational attributes while browsing:

Thus, the groups the user belongs to will be displayed during navigation:

hashtag
Password change

Locate the user via Quick Search, as shown in this step by step.

After locating the user, double-click on userPassword and open the tab New Password.

Enter the new password and confirm.

After applying the new password, the Modification Logs screen will appear confirming your change.

hashtag
Password verification

For password verification, first locate the user via Quick Search, as shown in this step by step.

After locating the user, double-click on userPassword and open the tab Current Password.

In the field, Verify Password, enter the user's current password and click Verify.

If the password is correct, the message "Password verified successfully" will be displayed.

hashtag
User organization

hashtag
Users by subgroups

Efficient organization of users in an LDAP directory can be achieved through subtrees. This structure facilitates directory administration, allowing clear segmentation of users based on specific criteria such as company, department or contracts.

hashtag
Concept of User Subtree

To optimize user management, it is recommended to implement a hierarchical subtree with one or two levels at most of depth. This practice ensures a logical separation of users, bringing clarity and efficiency to directory administration.

hashtag
Advantages of the User Subtree

  1. Simplification of Administration: Reduces the complexity of LDAP administration.

  2. Structured Organization: Makes it easier to locate and manage LDAP objects.

  3. Performance Improvement: Minimizes response time in LDAP queries and operations.

This structure exemplifies:

  • ROOT: Root level of the LDAP directory.

  • Organization: Main organizational unit.

  • UF: Federative Unit, exemplifying with SP (São Paulo).

  • CONTRACT: Subdivision of contracts, such as Scientific Police.

  • USER: Users within the specific contract.

  • Permission: Permissions associated with the users.

Another example, this directly in LDAP, consists of a tree of subgroups. Where there is a group policiaCivil and inside it a subgroup SC.

Last updated

Was this helpful?